Migrate danflix to hetzner

modules/dungflix/default.nix

@@ -3,21 +3,21 @@
   config,
   ...
 }: let
-  mountdir = "/var/media/dungflix";
+  mountdir = "/var/media/danflix";
 
   rclone_config = pkgs.writeText "" ''
-    [dungflix]
-    type = b2
+    [danflix-storage-box]
+    type = sftp
 
-    [dungflix-vault]
+    [danflix-crypto]
     type = crypt
-    remote = dungflix:dungflix-bucket
+    remote = danflix-storage-box:danflix
   '';
 in {
   age.secrets = {
-    dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age;
-    dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age;
-    dungflix_crypt_remote_obscured_pass.file = ../../secrets/dungflix_crypt_remote_obscured_pass.age;
+    danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age;
+    danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age;
+    danflix_env_file.file = ../../secrets/danflix_env_file.age;
   };
 
   services = {
@@ -40,27 +40,27 @@ in {
     MemoryMax = "1G";
   };
 
-  systemd.services.dungflix-mount = {
-    description = "Mount the Backblaze B2 media store";
+  systemd.services.danflix-mount = {
+    description = "Mount the Hetzner Storage Box media store";
     wantedBy = ["multi-user.target"];
     path = [pkgs.fuse3];
     preStart = ''
       mkdir -p -m 777 ${mountdir}
     '';
+    environment = {
+      "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path;
+    };
     script = ''
-      export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path})
-      export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path})
-      export RCLONE_CRYPT_PASSWORD=''$(cat ${config.age.secrets.dungflix_crypt_remote_obscured_pass.path})
-      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount dungflix-vault: ${mountdir} \
-        --transfers 32 \
+      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \
          --vfs-cache-mode full \
          --vfs-cache-max-age 336h \
-        --vfs-cache-max-size 120G \
+         --vfs-cache-max-size 60G \
          --allow-other \
          --no-modtime \
          --rc \
+         --rc-addr=localhost:5573 \
          --rc-no-auth \
-        -vv
+         -v
     '';
     postStart = ''
       sleep 5
@@ -71,6 +71,7 @@ in {
       fusermount -u ${mountdir}
     '';
     serviceConfig = {
+      EnvironmentFile = config.age.secrets.danflix_env_file.path;
       Restart = "on-failure";
     };
   };

secrets/danflix_storage_box_crypt_pw.age

@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk
+493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI
+-> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM
+l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE
+-> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM
+1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY
+-> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs
+oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs
+-> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k
+vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU
+-> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY
++akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8
+-> *_-grease |uf+h
+NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE
+uu81CrNA4J7InBlX56qNDqGMuQ
+--- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI
+<EFBFBD><EFBFBD> <20><>k
1K<11>q<EFBFBD><71><EFBFBD>_<EFBFBD>?<3F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Tp8w1<77>0<<3C>hjX<6A>Q<EFBFBD><51><EFBFBD><EFBFBD>Օ<EFBFBD><D595>

secrets/dungflix_bucket_account_key.age

@@ -1,20 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 eYYv1Q NfUs85CEft9jTh44fnAnN/PcdOQ2mdEByoNkyUCNrWQ
-MvA9BA3RoV2DRovXvlJzbY1E5lXdNSvkV82gtNCh6PA
--> ssh-ed25519 Bp5IaA lSrjQhwuY8ZiwVC82azl8rqN0/WasK4ZGRq9ohWDAVQ
-CPBY/Eq7MJ6Em+h6ro3HtfRqn9gn5BR3z//dA+SHjxw
--> ssh-ed25519 T/DpgA cv9z3Ihe/GydTPMSXXiNFxNFQwVYyZBDO1TVGCygoAo
-t4yCcPpM2Z7sqN55GbXUuLE0hvD7jXU1dCqOHcDT400
--> ssh-ed25519 qMgRFg jAcoxq4wyu8rYQGrt/rKUFSwp0Hz4QL4asEuJdA6nl0
-K+bqqoheMofX+iwcZYCE4Y558m/kzqUHyieaDQ8jJgw
--> ssh-ed25519 dMZXNw imeVQpYX9guxDPulzYYeHedYxZsmTngy+jgpQulRo1Y
-kpYgC6nzrhZsXkYHAl1273fwZ345towB1K84riX+Y+Q
--> ssh-ed25519 GzHGXw fgC690PsBF/lgRF9zwZqhvRkrK9Pm65tcZUWKzxookE
-haaWg3MNhKl1+CodRS+4MzwRVsKgVaox/Kf2YnmBNVY
--> ssh-ed25519 70Nt2Q 46a4VTEFv80jOpVl/54J3sJhBUS4G1XqrAoPReb3gjs
-ihr26HDZ40F6WJEqJmQgkjAUnnrz0Tc0ck26yLW0wOY
--> @c_kw-grease Au)%'xOy C/ A$Rd
-X7eu3QrQyKDn
---- pqgV/pzN+qsLtrbL2382/1056D925Ko5y5Oe3vwWmoc
-<EFBFBD><EFBFBD><EFBFBD>h<EFBFBD>3<>|<7C><><EFBFBD>wzb<7A><62>I<EFBFBD>0/<2F>:U<>.m
(/<<3C>x<EFBFBD>P<03><><19><>o<EFBFBD><19><>U0<>\
-<EFBFBD>'p;

secrets/dungflix_crypt_remote_obscured_pass.age

@@ -1,21 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 eYYv1Q IGdoQqDAFgxgWVlqEpZJvG9gE2KCKoXpMmvburw8Fhk
-66QE8kwl63xnvYj7nwmT6qR6Jj8fCfrzf/iAB7U+AU4
--> ssh-ed25519 Bp5IaA n3lgDi3bCV0t/TOjqdsNTRxnAlCs0GxoPPjpnaeIrzQ
-Ip98hCbmz4W8+NY85DWv/nHHmLANfwo0rNaI2N6N0kQ
--> ssh-ed25519 T/DpgA VGDYHrof8rh7WTZ3DOrTIVcfyKkVbLJTL8bDDSfS4C8
-3o3A3jfTL8L0dbpv9Xe3Oy93U3XkkjhRX0tqQtSZDtw
--> ssh-ed25519 qMgRFg Jchcic5fvRBviRtbdUyMl76Ea0aGW/7tRWkTt2habAg
-91DpFYKWqA4rawbzkEEkLNRay352vkuU0srVBwYFkco
--> ssh-ed25519 dMZXNw Sa+BZdY+YLrlQkX7G7VSF/k6oVAVo17zSgXbq1OiqR8
-xu894gtzqTFNDyvzwtejNw3WkMnVQLcpIaVF0CgVODI
--> ssh-ed25519 GzHGXw 2WNPWILkiCseWMN5GHpfNs9T566GV6dUxqse+YVXTSA
-W1MT/CHcZKefKb+7UK8PWwDP0cDCOU1JKpiXTk0vY10
--> ssh-ed25519 70Nt2Q QnL9dyxLSG64ncFRCoLOEWtBI1y0qRDj0a0TESW4bXY
-kHHQA72guLb7YYbU7/CTawylq1uNzcgNRwpS2z2WzeA
--> hg3-grease
-O2O1JT79k6zrpiuexN5i/1eP5cTzjOPjHS3BCvprA/JxSxUNrV+a1RFFmLb6OTad
-8cR0wG66tw6xaYQLvxWiKCzh2AqXkQ
---- tkk6rwRnFGtrrl6Z0kDoqS/NPV4hFhlKvwJ52zGuy+U
-B<><42><EFBFBD>]$So<><6F>e(kV8ca<63><61><EFBFBD>LG<4C><47>(<28>ȗF<C897><10><><EFBFBD>Y<EFBFBD>mɒ<6D>h<EFBFBD><68>1<10>ď<13>y<15><><EFBFBD><18>L<EFBFBD><1F>ѩzJ!gD<67>{
n<>U
-<EFBFBD>N0<1A>

secrets/dungflix_crypt_remote_pass.age

@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 eYYv1Q HzNRL7zq6Lrum/2tHKjacsv1Y0LlXmgOZNWLXAk2lWg
-no6sDeinVG3TPu3UVOEDauVrHqmJGzMgHB6Dr6UNrDE
--> ssh-ed25519 Bp5IaA 9UvpQHut2BFiXIkR+q1A/Ik4AYvwghddk9Fi5+rw4mM
-Zs/ggJfYh/epVFRiJEnvICceCnlZBifeGLRDI/Eosj0
--> ssh-ed25519 T/DpgA k40Cb32UbfjsApxi0ccO4u8xP12uWpTot02BSCUvP08
-LfXJLsRtNklus14Pg3TsDt9MMbRi9SrH7uvefK9Hxso
--> ssh-ed25519 qMgRFg iS9incss6tduf58gxdA8R5dqnwpXFy9PB8ZwNVWbvyc
-e4KTD8Z4fUeaLAiqKGQXi/AIkyjlYEUNraHSB+TFhiM
--> ssh-ed25519 dMZXNw DKMC+uCWkUEOF2fFL6o41UuggAzcWHwM5TwYzw+5sjQ
-zu/YdI+pzudPH7azRqwmDvf81m48EZYK9c3UcVPTaVI
--> ssh-ed25519 GzHGXw OX7ylQzBuyzErkhOpiUrBPhlGx/TrAgK5KuI6yEo4EY
-DxeylfaVBkDEWxxRz3KCr5UZsREfqXwoAnC5tAdyFL4
--> ssh-ed25519 70Nt2Q pcGNeTUV7utxnH5a4H78YOvr8cpORGkQ7p8hh569zz4
-STlbScxYbWXV3B8T+2PSiLfGkjKudkXwkRG67ZHlwtE
--> s-grease
-FHLY7TFsme9Wd43MaAzpXiolSX0
---- b2uVM8dc8IXnmG4fb/DjApdEJ3yngTDN8d7J0mbYYYw
-B<EFBFBD>љ<><13><>V<><56><EFBFBD><19><>EM<45><4D>N<EFBFBD>M<EFBFBD>=ݫ<>?]<5D><>A%
<01><><EFBFBD><EFBFBD><EFBFBD>5<05>2/<2F>Xv5`[

secrets/secrets.nix

@@ -29,4 +29,8 @@ in {
   "sendmail_email_key_gitea.age".publicKeys = users ++ [system4];
   "gitea_actions_runner_token.age".publicKeys = users ++ [system4];
   "sliding_sync_env_file.age".publicKeys = users ++ [system4];
+  "danflix_hetzner_storage_box_pub_key.age".publicKeys = users ++ [system4];
+  "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4];
+  "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4];
+  "danflix_env_file.age".publicKeys = users ++ [system4];
 }